Despite its silly-sounding acronym, the Health Insurance Portability and Accountability Act (HIPAA) is no laughing matter. Failure to comply with this wide-reaching piece of healthcare policy could put your organization’s future in serious jeopardy — to the tune of crippling financial penalties or even criminal charges.
Thus, it’s imperative that you and your staff are not only hip to all HIPAA requirements, but also dedicated to ensuring full compliance within your organization. Here’s a basic HIPAA compliance checklist to get you started:
1) Make sure your technology toes the HIPAA line.
This goes beyond ensuring your electronic records system (i.e. your practice’s EMR or EHR) has HIPAA — and PHI — on lock.
Today’s medical providers use a variety of software programs and electronic devices as part of their clinical practice— from wearables to telehealth platforms — and they all need to be fully HIPAA-compliant. For the most part, technology developed specifically for healthcare use was built with HIPAA standards in mind.
However, if you’re using a program that was not originally created for healthcare purposes — I’m looking at you, Skype — then you’re leaving your practice vulnerable to violating the requirements of any HIPAA compliance checklist.
2) Have an NPI for your organization and each HIPAA-covered provider on your staff.
As explained here, HIPAA requires any entity that renders healthcare services to have a unique 10-digit National Provider Identifier (NPI). There are two types of NPIs:
- Type 1 NPIs are for individual practitioners
- Type 2 NPIs are for organizations
It might seem like overkill to have an organization-level NPI as well as identifiers for each individual rendering provider, but it’s actually pretty important, as it prevents any potential mix-ups regarding which doctor provided which services to which patient.
This is especially important when physicians with similar names practice in the same city or under the same type 2 NPI. For more information — or to obtain a new NPI — check out this page.
3) Get your PHI ducks in a row.
This is the part of HIPAA that gets the most airplay in the healthcare space — and for good reason. Violations to HIPAA’s Privacy Rule — which governs the manner in which HIPAA-covered entities (e.g., healthcare providers) and their business associates (e.g., billing services or EHR vendors) handle patients’ protected health information (PHI) — can lead to penalties of up to $50,000 per offense. Yeah, scary.
For a comprehensive summary of the Privacy Rule, take a look at this HHS resource. Keep in mind that because each healthcare organization functions differently, there’s no cookie-cutter plan for ensuring compliance with these requirements.
That said, here are the main action-items healthcare providers should be aware of:
- Know what constitutes PHI, and pinpoint all instances of PHI in your organization.
- Find a patient privacy champion in your organization, and make him or her your formal “privacy official.” That means he or she will create and implement policies and processes designed to ensure full compliance with HIPAA privacy standards. This person will also field any privacy-related concerns, questions, and requests.
- Develop a Notice of Privacy Practices (NPP) that “provides a clear, user friendly explanation of individuals rights with respect to their personal health information and the privacy practices of health plans and health care providers.” (Review sample NPPs here.)
- Record all uses and disclosures of PHI in your organization.
- Allow patients an appropriate level of control over their own PHI, consistent with the Privacy Rule.
- When necessary, obtain explicit, written consent to disclose PHI.
- Adhere to the “minimum necessary” philosophy for PHI disclosure. As stated here, that means a “[healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].”
- Create a list of your business associates (i.e., external companies and organizations that may be exposed to your patients’ PHI) and ensure you have a formal business associate agreement (BAA) with each.
- Implement adequate physical, technical, and administrative safeguards to prevent illegal PHI disclosure — whether that disclosure is intentional or unintentional.
- Continuously train your staff on HIPAA policies and procedures, and ensure your privacy officer maintains a record of those policies and all associated training activities.
4) Secure electronic PHI by implementing the appropriate technical and non-technical safeguards.
In this day and age, electronic data storage and transmission is commonplace in nearly every industry — and that means consumer identities are more vulnerable to hackers and cybercriminals. This is especially true in the healthcare space, which is why electronic PHI storage and transmission is so heavily regulated.
To that end, HIPAA’s Security Rule — which deals specifically with electronic patient information — requires covered entities to “adopt an ongoing process of risk analysis” in which they:
- Identify risks to unlawful access to electronic PHI in their organization.
- Assess the security measures—including administrative, technical, and physical safeguards—that currently exist in the organization.
- Address any gaps in the organization’s security program.
- Document risk assessment and remediation efforts.
- Repeat this entire process periodically.
5) Come up with a breach notification plan.
Hopefully, you’ll never have to notify anyone of a PHI breach — especially if you follow all of the steps above. But, if worse comes to worst and you discover that the security of your organization’s PHI has been compromised, you’ll need to know if and when you should notify the affected patients, the government, or even the media.
To help you formulate a course of action for each potential breach scenario, review this HHS resource.
There you have it — a basic HIPAA compliance checklist in 2017 and beyond. Adhere to these to-dos, and you’ll be well on your way to keeping sensitive patient information safe — and preventing you and your organization from incurring any hefty penalties.